The Daily WTF: Curious Perversions in Information Technology
Welcome to TDWTF Forums Sign in | Join | Help
in Search

I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

Last post 11-29-2012 3:58 AM by PJH. 55 replies.
Page 1 of 2 (56 items) 1 2 Next >
Sort Posts: Previous Next
  • 11-26-2012 12:39 PM

    I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    They have just been hit by a tidal wave of traffic after making the front page of Reddit with an article about how everybody is pretty sick of Facebook.

    For some reason, they have deigned to take this opportunity to print_r their database access credentials in their 503 downtime notice. Their MySQL hostname, username and password are exposed by this, along with a few tidbits of information about the directory structure of the web server and the names of their database tables.

    Presumably somebody has left a debug print_r in there to output details of any failed queries. Normally it's fine, but now that the database is browned out, everything gets printed to everyone right at the moment they're getting the most traffic. Here is my favourite query:

    
    SELECT * FROM `()`
    
  • 11-26-2012 12:47 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    As I continue to stare in disbelief at this stack trace, I'm starting to build up a mental picture of the amount of WTF that resides in this codebase. For example, the misspelled "persistant" attribute of the MySQLDatabase class. And the mysterious "load_definesymbols" function.

    And by the way, what is it with highly-experienced professional PHP software engineers and inventing their own file suffixes? I swear I see this in literally every bespoke PHP codebase I encounter. In this case they've gone with ".lib", presumably to differentiate their high quality reusable code from your typical 1000 line procedural page generator PHP script. But I've come across things like .inc, .class, .tpl, or even .class.php in various different places.

  • 11-26-2012 12:52 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    It's been over a decade since my PHP days, but changing the file extension and .htaccess was a cheap-and-dirty way to stop Apache from serving up PHP files that should never be hit directly. It also helped to differentiate the purpose of the files. Note: I'm not defending this practice.

    Signatures are stupid.
  • 11-26-2012 1:30 PM In reply to

    • Fjp
    • Not Ranked
    • Joined on 10-22-2012
    • Posts 28

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    "Presumably somebody has left a debug print_r in there to output details of any failed queries." Seems perfectly reasonable. After all, it will be fully tested before going live, so there's no chance that this code will ever get executed in production.
  • 11-26-2012 1:43 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Well their database is emptied-out by now. Hope they had backups.

    I took a screenshot for posterity in case their website 100% fails.

      <-  I couldn't make my shit work, so here's a Godzilla head.
  • 11-26-2012 1:50 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    GNU Pepper:
    Presumably somebody has left a debug print_r in there to output details of any failed queries.
     

    I. Just. I -- what?

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    The questions-- I-- w-- when? Brain can't focus on the 5 Ws. Ack!


    HardwareGeek:

    <blink> and you're dead!



    "Where is grumpy cat?"
    - Mozilla's MOST ADVANCED USER!
  • 11-26-2012 1:53 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    Well their database is emptied-out by now. Hope they had backups.

    I took a screenshot for posterity in case their website 100% fails.

    Is there an MySQL version of  xp_cmdshell?  If so, I'm sure their webserver is emptied out now. Possibly anything attached to the server, too.

     


    HardwareGeek:

    <blink> and you're dead!



    "Where is grumpy cat?"
    - Mozilla's MOST ADVANCED USER!
  • 11-26-2012 1:54 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Well we know for sure at least one PHP file remains, haha.

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

      <-  I couldn't make my shit work, so here's a Godzilla head.
  • 11-26-2012 1:56 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Lorne Kates:
    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?
    If it does (I honestly have no idea) it's almost certainly off by default and poorly documented.

    With PHP, the question is not Does feature X exist in PHP? but rather Does any PHP developer know that feature X exists in PHP? PHP's documentation is so awful, and there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.
  • 11-26-2012 2:03 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Did you perhaps mean the `backtick syntax` that runs a string using the shell after doing normal variable replacements? That's a language feature and is not gonna get deprecated or removed, since it does exactly what it was designed and the design has no flaws.
  • 11-26-2012 2:31 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Lorne Kates:
    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?
    No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements... Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
  • 11-26-2012 2:58 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    bezking:
    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

  • 11-26-2012 3:03 PM In reply to

    • emurphy
    • Top 100 Contributor
    • Joined on 01-14-2005
    • Granada Hills, CA
    • Posts 576

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Mason Wheeler:

    bezking:
    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

     

     

    From RFC 1918

     

    3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

     

     

  • 11-26-2012 3:03 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Mason Wheeler:

    bezking:
    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

    RFC1918?
  • 11-26-2012 3:11 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Mason Wheeler:
    Why did you
     

    .. nope. Too obvious.

    Move along. Nothing to see.

  • 11-26-2012 4:08 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

     Oh, so that's why my work's servers all begin with those numbers. I see.


    In complex analysis, a meromorphic function on an open subset D of the complex plane is a function that is holomorphic on all D except a set of isolated points

  • 11-26-2012 4:51 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Morons! Everyone knows you wrap your debugging output in HTML comments!

    (the source is nicely formatted, anyway)

  • 11-26-2012 4:58 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Someone You Know:
    there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.
    It's this. Here's the proof. The first Google search result for "php mysql tutorial" is your classic terrible "webmaster tutorials" website and inadvertently teaches visitors how to build SQL injection vulnerabilities:
    
    $first=$_POST['first'];
    $last=$_POST['last'];
    $phone=$_POST['phone'];
    $mobile=$_POST['mobile'];
    $fax=$_POST['fax'];
    $email=$_POST['email'];
    $web=$_POST['web'];
    
    mysql_connect(localhost,$username,$password);
    @mysql_select_db($database) or die( "Unable to select database");
    
    $query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email','$web')";
    mysql_query($query);
    You can always tell you're dealing with highly-experienced professional PHP software engineers when the webserver bears the number one tell-tale mark of the cowboy.
  • 11-26-2012 9:01 PM In reply to

    • Daniel15
    • Not Ranked
    • Joined on 01-27-2007
    • Mountain View, CA
    • Posts 266

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Did you take a screenshot? It's gone now but I'm curious as to what was in the stack trace :P

    Reminds me of when I saw some print_r debugging on one of the biggest news sites in Australia (news.com.au). The University of Sydney one is a lot worse though.

  • 11-27-2012 2:17 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    bezking:
    Lorne Kates:
    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?
    No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...
    Uh.. Yes there is (for warnings at least). Print_r is the developer wanting to output data. Maybe he shouldn't ahve wanted to output it in this case.. but it was the developers intention.

    As for hiding/showing errors... the common use is to NEVER show errors/warnings/notices on production, potentially to show them on development... and in the case of production to Log them to a file instead. Plus, if you really wanted to get creative, you could actually check for the current status of error reporting. If you are sending stuff to a log, you could trigger_error the print_r and send it to your error log as well.

    Or if you were particularly apt.. not to rely on built-in logging functions (for print_r on DB fail) and build your own logging utility

    Just because PHP is easy to make fun of, doesn't mean that you're correct in your statements.
  • 11-27-2012 3:19 AM In reply to

    • PJH
    • Top 10 Contributor
    • Joined on 02-14-2007
    • Newcastle, UK
    • Posts 3,919

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    bezking:
    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.
    "Because you watched 'The Very Hungry Caterpillar,' we recommend 'The Human Centipede.'"
    --
    UED - Countryside: To kill Piers Morgan
  • Parp!
  • 11-27-2012 4:02 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    PJH:
    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.
     

    It is? I thought the whole point of the private address space was that those IPs would never appear (or resolve) outside of a LAN, keeping traffic internal.

    ObDerail: many years back we had a circular from Sage (financials) bleating all about their new products. At the bottom was a link we were invited to click on, which read something like: http://192.168.0.1/websites/default/pages/index.htm (no, that's not linkified). When I informed them of the link, their response was along the lines of "we tested it here and it works fine. If you're still experiencing problems, have your Network Administrator raise a ticket with your Internet Solutions Provider".

  • 11-27-2012 4:21 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Daniel15:

    Did you take a screenshot? It's gone now but I'm curious as to what was in the stack trace :P

    It's been quoted verbatim a few times in the comments on the Reddit article. Also from there:

    CaptnKhaos:

    Yeah, just gave them a call. The entire /news/ folder is throwing the error. As soon as the guy saw it, I could hear his jaw hit the floor. 9AM here, so a decent way for the helpdesk to start the day!

  • 11-27-2012 4:23 AM In reply to

    • PJH
    • Top 10 Contributor
    • Joined on 02-14-2007
    • Newcastle, UK
    • Posts 3,919

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Cassidy:

    PJH:
    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.
     

    It is? I thought the whole point of the private address space was that those IPs would never appear (or resolve) outside of a LAN, keeping traffic internal.

    The two aren't contradictory. It just saves having to host DNS on your private LAN to resolve addresses on your private LAN. Or in the cases where I've actually seen it, to provide a 'back-up' if the locally hosted DNS which does know about the hostnames fails for whatever reason.
    "Because you watched 'The Very Hungry Caterpillar,' we recommend 'The Human Centipede.'"
    --
    UED - Countryside: To kill Piers Morgan
  • Parp!
  • 11-27-2012 4:55 AM In reply to

    • toon
    • Top 150 Contributor
    • Joined on 01-07-2012
    • The Netherlands
    • Posts 378

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    Well we know for sure at least one PHP file remains, haha.

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

    Yeah, still enabled. In fact, I had to use it in a production system the other day... BRB I need a drink.

  • 11-27-2012 6:40 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    PJH:
    Or in the cases where I've actually seen it, to provide a 'back-up' if the locally hosted DNS which does know about the hostnames fails for whatever reason.
     

    Ooohhh... yeah, that makes sense. Didn't think of that situation.

    "whats the IP address of our internal staging webserver?"

    "dunno. Ask the internet. They'll know..."

    I'm using the trick of hosting an unresolvable TLD (.LAN) internally so that any FQDNs unrecognised by my DNS get chucked externally. Unfortuntely that means using the public A-REC for my server causes my laptop to hop out through the gateway only to stroll back in again. Makes my firewall frown at times.

  • 11-27-2012 6:45 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    toon:
    Yeah, still enabled.
     

    Say WHAT? I thought it could be disabled with some NOEXEC directive in php.ini.

    Aha - yup. Still enabled by default, can be cluebatted off a server with the disable_functions parameter.

    toon:
    In fact, I had to use it in a production system the other day...

    Obligatory "if u need it ur doin it rong" observ --

    toon:
    BRB I need a drink.

    -- oh.. you already know.

  • 11-27-2012 8:32 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)
     

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.  I was more curious about if MySQL had something similar-- since they've exposed their db credentials. And people can log into the DB. And then run whatever_linux_cmdshell through a query.


    HardwareGeek:

    <blink> and you're dead!



    "Where is grumpy cat?"
    - Mozilla's MOST ADVANCED USER!
  • 11-27-2012 8:45 AM In reply to

    • Zemm
    • Top 50 Contributor
    • Joined on 11-25-2007
    • Gold Coast, Australia
    • Posts 1,381

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

     

    PJH:
    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.

    What about reverse DNS?

    $ dig -x 192.168.1.2

    ; <<>> DiG 9.6-ESV-R4-P3 <<>> -x 192.168.1.2
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1441
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa.    IN    PTR

    ;; ANSWER SECTION:
    2.1.168.192.in-addr.arpa. 99258    IN    PTR    192-168-1-2.tpgi.com.au.

    ;; AUTHORITY SECTION:
    1.168.192.in-addr.arpa.    107829    IN    NS    ns1.tpgi.com.au.
    1.168.192.in-addr.arpa.    107829    IN    NS    ns2.tpgi.com.au.

    ;; Query time: 73 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue Nov 27 23:39:16 2012
    ;; MSG SIZE  rcvd: 115

    Of course they haven't set the forward zones:

    $ dig 192-168-1-2.tpgi.com.au

    ; <<>> DiG 9.6-ESV-R4-P3 <<>> 192-168-1-2.tpgi.com.au
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58479
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;192-168-1-2.tpgi.com.au.    IN    A

    ;; AUTHORITY SECTION:
    tpgi.com.au.        2808    IN    SOA    ns1.tpgi.com.au. dna.tpg.com.au. 2012112000 10800 3600 2419200 3600

    ;; Query time: 50 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue Nov 27 23:39:24 2012
    ;; MSG SIZE  rcvd: 89


    Filed Under: Can you think of something that talks, other than a person?
  • 11-27-2012 8:48 AM In reply to

    • Zemm
    • Top 50 Contributor
    • Joined on 11-25-2007
    • Gold Coast, Australia
    • Posts 1,381

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Lorne Kates:
    and that they've elevated Apache to run as root
     

    My uni circa 2001 ran student webpages on an apache running as root (AFAWCT) and had all staff and student usernames and passwords in a unencrypted file (somewhere under /etc from memory). And had a CGI script with a directory traversal bug. Oops!

     

    Filed Under: Can you think of something that talks, other than a person?
  • 11-27-2012 9:05 AM In reply to

    • toon
    • Top 150 Contributor
    • Joined on 01-07-2012
    • The Netherlands
    • Posts 378

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Lorne Kates:

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

  • 11-27-2012 9:09 AM In reply to

    • PJH
    • Top 10 Contributor
    • Joined on 02-14-2007
    • Newcastle, UK
    • Posts 3,919

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Zemm:

     

    PJH:
    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.

    What about reverse DNS?

    I would expect most public DNS (and most private) servers to effectively blackhole any reverse queries.


    Google blackhole by not replying:
    # dig -x 192.168.1.2 @8.8.8.8

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> -x 192.168.1.2 @8.8.8.8
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11837
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa. IN PTR

    ;; Query time: 21 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Tue Nov 27 13:58:24 2012
    ;; MSG SIZE rcvd: 42


    Verizon returns localhost:
    # dig -x 192.168.1.2 @4.2.2.2

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> -x 192.168.1.2 @4.2.2.2
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31188
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    168.192.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800

    ;; Query time: 10 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Tue Nov 27 14:00:38 2012
    ;; MSG SIZE rcvd: 101


    Whoever we get it from gives a non-routable result:
    # dig -x 192.168.1.2 @172.16.4.1

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> -x 192.168.1.2 @172.16.4.1
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44484
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    168.192.in-addr.arpa. 161 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2008072202 21600 3600 1209600 86400

    ;; Query time: 0 msec
    ;; SERVER: 172.16.4.1#53(172.16.4.1)
    ;; WHEN: Tue Nov 27 14:05:31 2012
    ;; MSG SIZE rcvd: 119
    "Because you watched 'The Very Hungry Caterpillar,' we recommend 'The Human Centipede.'"
    --
    UED - Countryside: To kill Piers Morgan
  • Parp!
  • 11-27-2012 10:14 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    toon:
    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.
    If you're running Apache on Windows (which is goofy, but eh), then it's all in how you configure the service. IIS has its own account, of course, and gives anonymous Internet visitors to your site their own account (IUSR) for permissions purposes. And runs applications as "Network Service" by default. It's a little bit of a pain to configure it all, but it's a lot more secure by default.

    The idiots I've been having to work with for the last few months have Nginx running as root on their Ubuntu servers. I'll have to talk to them about that.

      <-  I couldn't make my shit work, so here's a Godzilla head.
  • 11-27-2012 10:16 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    toon:

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

     

    Under Linux, Apache starts as root but then switches user to "apache" or "httpd" to run lower-priv'd. It's possible to run as non-root but it involves some sudo trickery to allow a non-root account to switch to another user without authentication credentials, so most people start/stop the service as root knowing it runs in an unpriv'd context.

    Modules like suPHP allow PHP code to run in the context of another user (separate from Apache) so any trojaned site affects just that account and not other accounts.

    Under Windows, Apache is installed as a service but can be given separate logon credentials, in much the same way that IIS no longer runs as Administrator.

    Lorne Kates:
    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

    Of course, it doesn't stop someone from doing precisely that. I've encountered many websites containing root-owned files with change permissions set completely open (777) because permissions weren't set properly on the webroot area - so someone rootwalked into it, then set the permissions to 777 because Apache couldn't read root-owned content.

    Arseholes.....

     

  • 11-27-2012 12:36 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    toon:
    Lorne Kates:

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

    It depends purely on setup. Apache wants to start as root wherever possible (for some reason linxu complains when normal permission applications try to grab a port) , but you can tell it to run as its own user. PHP will want to run as the Apache user, unless you use SuPHP to have each Apache/php process run as the websites user (which is good for security, but a pain in other ways).

    You could alway chroot Apache or Lighttpd as well to be super super secure.

    So many choices!
  • 11-27-2012 1:31 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    The problem with PHP has always been that 95% of what you find online is n00b garbage that teaches either only the basics or teachs the wrong things.  PHP isn't a bad language (although ugly as sin) when it's used by a software developer who understands things like design patterns, OOP, MVC and unit tests.  The problem is most of your PHP "developers" either found one of the aforementioned bad tutorials or picked up an equally bad book, learned the basics, and started marketing themselves as a professional developer.

    There was a quote that I read once comparing Ruby on Rails to PHP and it seems fairly apt here; replace Rails with pretty much any other language/platform:  [Rails] makes it easy to write good code and hard to write bad code.  PHP makes it easy to write bad code and hard to write good code.

    The Daily WTF Forums. You will never find a more wretched hive of scum and villainy.
  • 11-27-2012 1:54 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    ObiWayneKenobi:
    There was a quote that I read once comparing Ruby on Rails to PHP and it seems fairly apt here; replace Rails with pretty much any other language/platform:  [Rails] makes it easy to write good code and hard to write bad code.  PHP makes it easy to write bad code and hard to write good code.
     

    I highly doubt that.  I've seen languages that make writing good code easier--that's one of the main reasons I prefer Delphi--but I've never seen any language or framework that makes it any harder for a bad programmer to write bad code.  I honestly doubt such a thing exists.  Stupidity will always find a way.

     

  • 11-27-2012 4:16 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.
  • 11-28-2012 7:07 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    Lorne Kates:

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    If you're using one of the proper debug tools then yeah, you can limit where it's shown, but no programming language can protect against an idiot printing stuff to the screen if they want to :-/

     

  • 11-28-2012 7:08 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    Well we know for sure at least one PHP file remains, haha.

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

    Oh it's still there, but I don't know many sane reasons why it would be used.

     

  • 11-28-2012 7:24 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    GNU Pepper:
    You can always tell you're dealing with highly-experienced professional PHP software engineers when the webserver bears the number one tell-tale mark of the cowboy.
     

    Christ on a bicycle. Hey Mr Webserver tell me all about yourself, your most intimate details.


     

  • 11-28-2012 7:31 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    gu3st:
    PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.
    The real problem though is the sheer number of bad tutorials out there still not advising about things like SQL injection, still advising the new dev to do some unbelievably stupid things.

    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

  • 11-28-2012 8:21 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    ASheridan:
    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser
    I blame StackOverflow for that. Problem? jQuery is the answer! No matter what the problem is! Desktop app? Well embed a Webkit so you can run jQuery! Database? Well write a quick function that can call out to jQuery! If you can't do it in jQuery it can't be done!

    At least they tried to make a better programming Q&A site. "Game-ify-ing" it just made it awful again though.

      <-  I couldn't make my shit work, so here's a Godzilla head.
  • 11-28-2012 8:25 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    ASheridan:
    I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser
     

    And I've seen people do stuff in 20 lines of jQuer that could be replaced with a few lines of Javascript, which could be replaced by one line of jQuery.

     (Which could sometimes be replaced with zero lines of neither, if they had bothered to learn CSS)


    HardwareGeek:

    <blink> and you're dead!



    "Where is grumpy cat?"
    - Mozilla's MOST ADVANCED USER!
  • 11-28-2012 9:50 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    I blame StackOverflow for that. Problem? jQuery is the answer! No matter what the problem is! Desktop app? Well embed a Webkit so you can run jQuery! Database? Well write a quick function that can call out to jQuery! If you can't do it in jQuery it can't be done!

    At least they tried to make a better programming Q&A site. "Game-ify-ing" it just made it awful again though.

    This perfectly illustrates your point:

    http://stackoverflow.com/questions/3964072/overusing-jquery

    And one of the comments below is this:

    "I figure if I'm going to load a library on a page, I may as well use it as much as I can. I try to get the bang for my buck (so to speak)."

    With attitudes like that, no wonder it gets overused.

     

  • 11-28-2012 11:14 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    What people like that don't get is the bloat jQuery adds. A normal event object is maybe, say, 2k of various data and pointers. A jQuery event object is like 5 times the size. And if you're not careful, you can wrap jQuery objects in jQuery objects in jQuery objects and make bloat-zilla.
      <-  I couldn't make my shit work, so here's a Godzilla head.
  • 11-28-2012 11:47 AM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    And if you're not careful, you can ... make bloat-zilla.
     

    (first result for bloatzilla :p)

  • 11-28-2012 12:13 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    blakeyrat:
    A normal event object is maybe, say, 2k of various data and pointers. A jQuery event object is like 5 times the size.

    [citation needed]

    I do find this hard to believe, considering the total number of events a page fires off in normal use. You could see dozens of events a second just from waving your mouse around; eg mouseover, mousemove, mouseout. If it had this much overhead, I would expect these sites to perform like mud, and I really haven't seen many terribly-performing sites even when the site's author drank the whole pitcher of jQuery kool-aid.

    Window.event, even considering all the proprietary extra junk that might be on it, I'd say at most has a couple dozen properties; if we guess two dozen properties at an average of 32-bits each, we only account for 768 bytesbits (92 bytes).

    A jQuery object might be as bloated as you say, I'm not sure how to actually measure it, but it sounds like a number pulled out of thin air.

    Signatures are stupid.
  • 11-28-2012 12:24 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    joe.edwards:

    I do find this hard to believe, considering the total number of events a page fires off in normal use. You could see dozens of events a second just from waving your mouse around; eg mouseover, mousemove, mouseout. If it had this much overhead, I would expect these sites to perform like mud, and I really haven't seen many terribly-performing sites even when the site's author drank the whole pitcher of jQuery kool-aid.

    Window.event, even considering all the proprietary extra junk that might be on it, I'd say at most has a couple dozen properties; if we guess two dozen properties at an average of 32-bits each, we only account for 768 bytesbits (92 bytes).

    A jQuery object might be as bloated as you say, I'm not sure how to actually measure it, but it sounds like a number pulled out of thin air.

    jQuery creates new objects for each event that was triggered with it. It's not just a wrapper for addEventListener. That's not the only thing it does though. It creates a copy of the DOM as an object to allow it to search and manipulate the DOM more easily. Every match you make on the DOM using a jQuery selector is another object. This is what leads to the bloat.

     

  • 11-28-2012 12:26 PM In reply to

    Re: I nominate the University of Sydney for "Downtime Notice Of The Year 2012"

    My first two paragraphs were in re of a "normal event object", as in, not-jQuery.
    Signatures are stupid.
Page 1 of 2 (56 items) 1 2 Next >
Powered by Community Server (Non-Commercial Edition), by Telligent Systems